Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/DestroyingByfron/Roblox-Executor-Alt

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIyMjc0MTc1MDE3OTY5NjY2MA.GTaP_b.Fj7PPHRSC9HZBuqab-hq8gnmLm8HwKIuQEUqGo

  • server_id

    1222323968766382140

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/DestroyingByfron/Roblox-Executor-Alt
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9303d46f8,0x7ff9303d4708,0x7ff9303d4718
      2⤵
        PID:4388
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        2⤵
          PID:3236
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3700
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
          2⤵
            PID:3984
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
            2⤵
              PID:4328
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
              2⤵
                PID:2020
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:8
                2⤵
                  PID:4016
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1252
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                  2⤵
                    PID:2556
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
                    2⤵
                      PID:1896
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
                      2⤵
                        PID:4900
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                        2⤵
                          PID:464
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5260 /prefetch:8
                          2⤵
                            PID:2208
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                            2⤵
                              PID:4032
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:424
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1399106449159381127,14751038852467904172,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5244
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1644
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4292
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5364
                                • C:\Program Files\7-Zip\7zFM.exe
                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\coinware alt.rar"
                                  1⤵
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:5428
                                  • C:\Users\Admin\AppData\Local\Temp\7zO435D3BD7\coinware.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zO435D3BD7\coinware.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5580

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  537815e7cc5c694912ac0308147852e4

                                  SHA1

                                  2ccdd9d9dc637db5462fe8119c0df261146c363c

                                  SHA256

                                  b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

                                  SHA512

                                  63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  8b167567021ccb1a9fdf073fa9112ef0

                                  SHA1

                                  3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

                                  SHA256

                                  26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

                                  SHA512

                                  726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                  Filesize

                                  2KB

                                  MD5

                                  e90e160befaa62d3b520e9f06775ec65

                                  SHA1

                                  7cc80d47d77ec7fa3cbc45f22e443914d527fe53

                                  SHA256

                                  24da55f1eb2d36dc200bb0aecdef9183388c6b3308d5a26562fe30d82ac5384d

                                  SHA512

                                  debcb07483d5ba5feba6ac2daed9840d58cc7af7e38225e3aabf7539d84b7b58fc124c00fb5f7d0cdb0bd5be5dcdd2cb947cfcfb13133e478ff1f9f88607ad29

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                  Filesize

                                  579B

                                  MD5

                                  a7d1701142cca705f833d70023ef4e1e

                                  SHA1

                                  1b76853132abfcddb4fefac42bf9df5d013c9815

                                  SHA256

                                  6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

                                  SHA512

                                  806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  a5bffa3f2c74d9c2e7a5c83b66b6136f

                                  SHA1

                                  5269b3d7fd7484806ea15734902dbdcb94a8c9b3

                                  SHA256

                                  24ff35bfb899d33564cd2d97f66143199655c57d79b65f3664ffdde691639f57

                                  SHA512

                                  f7e116b0486a5ed16e6d77eea9d0a713f18fec80e04d4373c1a71241e2a0b0f7a3762803fd15c64b2c62bb416d2e971fe84605a4b25442448e4a479d18903a36

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  8be847acfd9925b906fb778a1472a7a8

                                  SHA1

                                  68a21b052701946a1c19f288558037b154b8a70b

                                  SHA256

                                  c196ad62792be318838f60ee6705f8b19c3a76ee345ef265024ffa010ee7ad6d

                                  SHA512

                                  73f768e03a569c91bae43ac1f764795ade895d74000bb152a21db95c435780b12261cbb6868f6c06aed677d6357fe81166c0501d231c81990383085d863ff51e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  f02537b156a9672bb840ff760bda86b1

                                  SHA1

                                  a0d87842a1ba88b1a6420ddeb7be02b695d9e64c

                                  SHA256

                                  ebc3611c4b6b93c18916eab74636b0cecb36dc351b39de5c28ee0ea0bac27c44

                                  SHA512

                                  3dd0b7581384f3c2b9bc30d2f435cea71b9d7bc67b81d0cb3b802f85348fbe6c6b1ac74b235b38cb8e20f97b90f53354c18a462d6f50e5cbf1c782da2184b4c9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  cfed8634b529b15c471bda363e2be06a

                                  SHA1

                                  e0c7931f5c7bfc2d6b3ae268a355f79852fe8cc3

                                  SHA256

                                  750dff288cd4d3dbade1854fc91a46a1227f536b5a343474133491ba025f7e8a

                                  SHA512

                                  735b3aca423a8d8ebbf29c7cd5ca01d346a911a70f85544f390ea4c1a3baf89d64e65f50711e1e4284923e77936bda89c3b8868f54be980c606ebc2ae4df1968

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  11KB

                                  MD5

                                  dcbc63c096b35fb288959f79276348d3

                                  SHA1

                                  cd6114832afd9907306068cad4a781e1bdb6036b

                                  SHA256

                                  3ce3c1ee37d445769628a0e715b232cc4fe1b031a9931afee95c58badaf5f86b

                                  SHA512

                                  4d5a3b4cfd7fb5773c689db51d42af98625c1a9448d2bd5aab7c5d8bec4452d16d69b6c8851ccfd836e61b8ac114e9889d0e0bcd4f948aea2d324b465e1341b2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7zO435D3BD7\coinware.exe
                                  Filesize

                                  78KB

                                  MD5

                                  e27dee44985aa980ffa72f7a931834fe

                                  SHA1

                                  5aa52fbab19babdc15b5492f59f59cf379bdcc26

                                  SHA256

                                  24e27feb592f2d2debd47b9de4573cfa8dcfbd69ff09efcf6586b91e8bf7a004

                                  SHA512

                                  88bc7f9b8153c6e2a51922fa0894ad2ef763dc74c234e8d5ba8383b761ea2223dc4b565458b21f08955e72554c3d8aa5fd0d8d93ac05f5be42393ab2ee1a7af8

                                  Download Submit

                                • C:\Users\Admin\Downloads\coinware alt.rar
                                  Filesize

                                  367KB

                                  MD5

                                  a68d46c0973852c4575d6012c9927220

                                  SHA1

                                  ef31936214fe8592248b8d8dc88d9ba761581d2d

                                  SHA256

                                  8cbef6ab30cd95cf7c4979781f0821e19f1996ad47a37434fc29c0b3d2cd4da4

                                  SHA512

                                  10571c08936a0595984a30911f8758851f9ef2cb37eb66c48eae8411dbeb5e42596656de4fae8f9f076cb8722ef045b57a4cb4fdf768ac83b0c4566ef1deeb93

                                  Download Submit

                                • memory/5580-244-0x0000020567820000-0x0000020567838000-memory.dmp

                                  Filesize

                                  96KB

                                  Download

                                • memory/5580-245-0x0000020569E50000-0x000002056A012000-memory.dmp

                                  Filesize

                                  1.8MB

                                  Download

                                • memory/5580-246-0x000002056A650000-0x000002056AB78000-memory.dmp

                                  Filesize

                                  5.2MB

                                  Download